ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Job Search

v1.0.0

中国招聘平台搜索技能。支持BOSS直聘、智联招聘、前程无忧三大平台,提供关键词搜索、地点筛选、薪资范围过滤等功能。专门针对中国本土招聘市场设计。

0· 40·0 current·0 all-time
by@jarryk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (search BOSS/智联/51job) align with the shipped code: multiple platform parsers, JobSearcher, and run/test scripts. The declared dependencies (requests, BeautifulSoup, fake-useragent) match scraping functionality. However the repository also contains production/optimized searchers, persistence (SQLite/file export), email notification examples, proxy support and explicit suggestions to use Selenium/proxies to bypass anti-scraping — capabilities beyond a minimal search helper. Those extra capabilities are plausible for a production scraper but are broader than a simple 'search' skill and deserve attention.
!
Instruction Scope
SKILL.md itself stays on-topic (how to query and install deps), but additional documentation and scripts (DEPLOYMENT_GUIDE, direct_test, analyze_51job, many searcher variants) instruct the user how to: save raw HTML to disk, rotate User-Agent, use proxies, add delays, run Selenium to bypass anti-bot, persist results, schedule periodic tasks, and send email notifications. These instructions expand scope from one-off queries to persistent, automated scraping that can evade protections. The skill does not instruct reading unrelated system secrets, but it does write files and can persist/search data locally.
Install Mechanism
There is no install spec; it's an instruction-and-code bundle. Dependencies are standard Python scraping libraries (requests, bs4, fake-useragent) listed in a requirements.txt. No downloads from untrusted URLs or archive extraction were observed in the provided metadata. Risk is primarily from running the Python code itself, not from an external installer.
Credentials
The skill declares no required environment variables or credentials, which is consistent with basic scraping. However multiple files show optional support for proxies and an email-notification function (smtplib example) and examples referencing SMTP/proxy endpoints. Those features would require credentials/configuration if used but are not declared as required — a mild mismatch. No evidence of the skill attempting to read hidden system credential paths or other skills' configs was found.
Persistence & Privilege
always:false (normal). The code includes examples and utilities to persist results (SQLite, JSON, CSV), write saved HTML pages to disk, export files, and create scheduled tasks that run periodic searches and append to local files. It does not appear to modify other skills or global agent settings. Autonomous invocation is allowed by default; combined with scheduling/persistence and the documented guidance for evasion, that increases the potential blast radius if you enable automated runs.
What to consider before installing
This package is functionally coherent for scraping Chinese job sites, but it goes beyond simple query/formatting: it includes instructions and code for saving raw HTML, persisting results to DB/files, scheduling repeated searches, sending notifications, and explicitly suggests proxies and Selenium to evade anti-bot defenses. Before installing or running: 1) Review the Python scripts (especially any that call requests.get, write files, use proxies or schedule tasks) and run them in a sandboxed environment. 2) Do not supply production credentials (SMTP, proxy) unless you trust the source; prefer ephemeral test credentials. 3) Ensure you comply with each target site's robots.txt and terms of service — the code shows explicit evasion strategies which may be illegal or breach ToS. 4) If you only need one-off, read-only queries, restrict use to simple search scripts (e.g., demo_simple.py) and avoid enabling scheduled jobs or Selenium/proxy code. 5) Because the skill author/source is unknown, prefer obtaining similar functionality from a vetted/trusted repository or review the code thoroughly before granting it network access or enabling autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5v3rqgy3qj4gsay3j6c9w984sa28

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments